26 April – 05 May 2015

Biometrics

US – FBI Seeks Privacy Act Exemptions for Its Biometric Database

Seeking to avoid compromising law enforcement investigations, the FBI wants to prevent individuals from discovering if their information is contained within the agency’s biometric database. The Justice Department will propose the FBI’s “Next Generation Identification System“ be withheld from provisions of the Privacy Act. The NGIS gathers information on individuals, including palm prints, fingerprints, iris scans and facial photographs. The FBI fears that letting individuals know if their information is within the database could affect law enforcement investigations by undermining “national security efforts,” or possibly revealing a “sensitive investigative technique.” The Electronic Privacy Information Center’s Jeramie Scott said, “If you have no ability to access the record the FBI has on you, even when you’re not part of an investigation … and lo and behold inaccurate information forms ‘a pattern of activity’ that then subjects you to [be] the focus of the FBI, then that’s a problem.” [Nextgov]

RU – Facial Recognition App An ‘Unmitigated Privacy Disaster’

FindFace, a facial recognition app, has caused a stir within Russia, and its creators are working to halt malicious use. While the app has been used to take pictures of subway riders and locate them on Vkontakte, Russia’s version of Facebook, others have used it for more nefarious purposes, including outing Russian porn stars. Maxim Perlin, the founder of FindFace, said the company is “making every effort to protect all Vkontakte users from potential malicious acts,” but it’s difficult to stop the bad behavior. FindFace’s power comes from NTechLab, the company developing the facial recognition technology used by the app. NTechLab won the University of Washington’s face recognition challenge, beating out Google’s FaceNet program, by identifying 73% of individuals in a set of 500,000 images. [Fusion] [Facial Recognition Used to Strip Sex Workers of Anonymity]

US – Lunchroom Print Scanners Problematic?

Biometric company PushCoin and its lunch line fingerprint scanners have proponents lauding their convenience, but civil libertarians warn their growing preeminence may adversely dilute privacy attitudes. “I think it undermines the notion of really thinking about the importance of your biometrics as a matter of privacy,” said an ACLU spokesman. “I think in this age, when so much is available and so much is accessible online about us and there is all of this information that floats out there, to begin to include in this one’s biometrics, it really does raise some legitimate concerns.” [Daily Herald]

Canada

CA – Privacy Important to Business but Many Lack Privacy Basics: OPC Survey

While it is encouraging that businesses are increasingly using more tools to protect personal information, according to a recent survey, there is still room for improvement when it comes to meeting privacy obligations and preparing for soon to be in force mandatory breach requirements. These were among the findings revealed in the Office of the Privacy Commissioner’s (OPC) biannual telephone survey of 1,016 Canadian businesses. The survey seeks to examine the privacy awareness and practices of Canadian businesses. The findings come ahead of the coming into force of mandatory data breach obligations under federal privacy law. The survey showed some positive developments in certain areas. For example, 41% are “concerned” about suffering a potential data breach (up from 31% in 2013). The OPC was also encouraged to see that an increasing percentage (83%, up from 78 % in 2013) said their business uses technological tools, such as passwords, firewalls and encryption to protect customer personal information. The survey, however, revealed limited movement in other areas. For example, only 41% (up slightly from 37% in 2013) have policies and procedures in place to deal with a breach. In addition, less than half said they have privacy policies to inform customers about the personal information they collect and how it is used. The complete survey, which is considered to be accurate to within +/- 3.1%, 19 times out of 20, can be found on our website at www.priv.gc.ca. [Source]

CA – Canadian Spy Agency CSE Won’t Reveal Number of Privacy Breaches

The Communications Security Establishment is refusing to release the number of privacy breaches the agency has logged since 2007. Documents obtained by the Star state the intelligence and cyber defence agency has maintained a central database for certain privacy violations since 2007. These breaches are categorized as minor “procedural errors” or more serious “privacy incidents,” and reviewed by the CSE Commissioner’s office every year. The Star requested just the number of breaches — no details about what actually transpired or the Canadian personal information involved — but was told the agency could not comply due to “operational security concerns.” “Releasing the number of (breaches) would provide insight into CSE’s capacity to conduct operations, the extent of its capabilities, the degree to which partner organizations benefit from sharing and the reach of the programs,” wrote spokesperson Ryan Foreman in an email last week. Documents tabled in Parliament last month show CSE logged 13 privacy and information breaches in 2015, affecting at least 630 individuals. The agency did not report any of the privacy breaches to the federal privacy commissioner, as CSE determined that there was “no significant risk” to the individuals involved. CSE further refused to report the activities that led to the breaches. The Star reported Sunday that the agency has been in a year-long debate with the Privacy Commissioner Daniel Therrien’s office over how much information CSE is required to report about privacy breaches. A government-wide regulation requires all serious breaches to be reported to the privacy watchdog, but a “discussion” about how best to do that has been dragging on since at least January 2015. On Monday, NDP foreign affairs critic Hélène Laverdière asked Defence Minister Harjit Sajjan to explain why CSE is resisting turning information over to Therrien’s office. “CSE has proactively worked with the commissioner on all aspects, and they do have a good working relationship,” said Sajjan, who is responsible for the intelligence agency. “CSE abides by Canadian law, including the Privacy Act.” [Star]

CA – OPC Funds Ten New Privacy Studies

This week, Canada’s Office of the Privacy Commissioner announced the research projects receiving funding in 2016-2017 under the annual OPC Contributions Program. They are:

  • Decision-Making and Privacy: How Youth Make Choices About Reputational and Data Privacy Online
  • Big Data Ethics Initiative: Assessment for Canadian Organizations
  • Understanding, Discovering and Asserting Personal Privacy Preferences: A Feasibility Study
  • E-Learning Courses on Anonymizing Data
  • Effects of Informal Online Regulatory Regimes on Privacy
  • The Peer Privacy Protectors Project: Innovative Youth-Led Privacy Education
  • Between Memory and Forgetting: Consumers and Digital Death
  • Cloud Atlas: A Citizen’s Guide to Online Privacy and Surveillance Using IXmaps
  • “Protect your Privacy—Online!” Educational Program
  • Left to their own Devices: Privacy Implications of Wearable Technology in Canadian Workplaces [Source]

CA – Children’s Aid Class Action Seeks $25 Million Damages from Hacking

A lawsuit is filed in Ontario court by an individual against county service organizations, a government minister, and others, alleging damages caused by a data breach. The PI of 285 clients was hacked and then posted on a social media site; causes of action include negligence, breach of fiduciary duty and confidence, negligent misrepresentation and intrusion upon seclusion (e.g. a failure to use adequate firewalls, encryption, and up-to-date security protocols and heed warnings about inadequate system security), a breach of Ontario’s FOI legislation (security was not appropriate to the sensitivity of the PI), and a breach of the Charter of Rights and Freedoms (operational negligence). [M.M. v. Family and Children’s Services of Lanark et al. – Statement of Claim – Ontario Superior Court of Justice] [Class action filed after privacy breach at one Ontario children’s aid office]

CA – Canada Considering Spying on Kids to Stop Cyberbullying

The Canadian government is looking for a person or organization to “conduct an evaluation of an innovative cyberbullying prevention or intervention initiative” in a “sample of school-aged children and youth,” according to a tender notice published by Public Safety Canada last week. Although nothing has been finalized, the government will consider letting the organization spy on kids’ digital communications to do it, Barry McKenna, the Public Safety procurement consultant in charge of the tender, said.  “The tender doesn’t preclude or necessarily require digital monitoring,” said McKenna. “But there are certainly products on the market that do that, and I would guess that that kind of intervention would be one of interest.” The school board overseeing the school used in the study would have to sign off on digital surveillance of kids, McKenna said, and so would Public Safety. McKenna would not disclose whether any person or organization has responded to the tender yet. The government has budgeted $60,000 for the program, the notice states. [Source]

CA – Rise of Private Surveillance Cameras Point to Legal Limbo

As more homeowners spread the reach of “Little Brother” by installing security cameras on their property, chances are images of their neighbours’ properties or the neighbours themselves could end up being recorded without their knowledge. And while provincial and federal privacy laws are designed to protect citizens from snooping by governments and businesses, they don’t apply to cameras on individuals’ private property. The Office of the Information and Privacy Commissioner for B.C. doesn’t have jurisdiction over homeowners who use security cameras or collect data for personal use, spokeswoman Michelle Mitchell said. But private citizens are using the camera or the data for commercial purposes would be subject to the provincial Personal Information Protection Act — “for example, if a homeowner who is also landlord has a CCTV camera that happens to capture images of a tenant,” Mitchell said. “It is not the type of device (i.e., CCTV system), or its location, but why the information is being collected, and what it is being used for, that determines whether our office has jurisdiction,” said Mitchell. [Source]

Consumer

UK – Study Reveals Post-Snowden Surveillance Chilling Effect

A new study from Oxford University reveals empirical evidence that knowledge of government mass surveillance programs make the public less likely to read articles about surveillance and other related topics online. The study analyzed Wikipedia traffic before and after the June 2013 Snowden revelations and found evidence of “chilling effects.” Traffic on “privacy-sensitive” articles went down after the “exogenous shock” from the initial Snowden coverage. The articles chosen in the study were based on keywords that are flagged by the Department of Homeland Security for “suspicious” activity. “It means that the NSA/PRISM surveillance revelations … are associated in the findings not only with a sudden chilling effect, but also a longer term, possibly even permanent, decrease in Web traffic to the Wikipedia pages studied,” said the study’s author, Jon Penney. [Full Story]

E-Government

US – Federal Government Accepted All 2015 Surveillance Requests

An as-of-yet unreleased Justice Department report disclosed that the Foreign Intelligence Surveillance Court received 1,457 communication surveillance warrants from federal law enforcement in 2015, approving all “entirely or in part.” While most of the requests were focused on foreigners’ data, one in five of the warrants were concerned with Americans, the report states. Meanwhile, Facebook indicated that 60 percent of its government-initiated data requests from 2015 prohibited the company from alerting their users, according to U.S. News & World Report. However, “Facebook does not provide any government with ‘back doors’ or direct access to people’s data,” said Facebook Deputy General Counsel Chris Sonderby. “If a request appears to be deficient or overly broad, we push back hard and will fight in court, if necessary.” [ZDNet]

Electronic Records

AU – My Health Record System A ‘Privacy Disaster Waiting to Happen’: APF

The Australian Privacy Foundation has major problems with the federal government’s My Health Record system, saying it’s a “privacy disaster waiting to happen.” The APF says the biggest problem with My Health Record is the amount of access its Medicare Call Centre’s employees have to the system’s data. While the government said it would provide a “clear and robust framework” for the call center in 2011, the APF said not enough has been done in the past five years. “This total failure to deliver on its promise and put in place much needed protections exposes patients to curious call centre operators whose prying and spying are unlikely to be detected,” said Dr. Bernard Robertson-Dunn, chair of the health committee at the APF. [Delimiter]

CA – Insurance Industry Needs to Keep Pace With Data Security

The Canadian life and health insurance industry is making good strides in moving ahead with electronic data exchange, but now needs to ensure that it is keeping pace with ongoing compliance and cyber security issues, a conference was told. Tana Sabatino, implementation services specialist at the Canadian Life Insurance EDI Standards (CLIEDIS), told the organization’s annual seminar in Toronto that its top goal for this year is to concentrate on getting reliable feeds from the advisor to the distributor and over to the carrier. CLIEDIS is the industry association that promotes using electronic data among key members of the life insurance industry, including advisors, managing general agencies (MGAs) and life insurance carriers. Part of that agenda calls for CLIEDIS to ensure data security among members by streamlining the amount of feeds a distributor needs to connect with carriers. Sabatino said there can’t be a situation in which every carrier has a different data stream agreement that each imposes on MGAs. “HUB [for example] isn’t going to implement 15 different security sets of requirements. They’re going to have one, because they have one set of systems.” [Source]

Encryption

US – Man Jailed for Seven Months (and Counting) for Failure to Decrypt

An unidentified Pennsylvania man has been held in jail for seven months because he has refused to decrypt hard drives that authorities believe contain illicit images. He has not been charged, but is being held in custody because he was found to be in contempt of court for his refusal. The Electronic Frontier Foundation (EFF) has filed an amicus brief on the defendant’s behalf. [Ars Technica] [Electronic Frontier Foundation Amicus Brief] [Ars Technica]

EU Developments

UK – Government Refuses to Give SC Commish Powers He Didn’t Request

The government has refused to give the Surveillance Camera Commissioner (SCC) extra enforcement powers. The problem is that the SCC hadn’t asked for any more powers. In a very brief letter to SCC Tony Porter, the incumbent commissioner, junior Home Office minister Mike Penning said the government was “not yet convinced that granting your office enforcement and sanction powers would improve compliance.” Penning’s remarkably curt letter also informed Porter that he, Penning, would not be available to meet to discuss the SCC’s annual review of CCTV surveillance, which was published earlier this year. He also noted that the Protection of Freedoms Act 2012, which established the commissioner’s office, is “due for post-legislative scrutiny in 2017.” As we previously reported, speaking at an event hosted by the National Security Inspectorate, a non-governmental certification body on 10 March last year, Porter acknowledged that “one thing that has been levelled at the code and my role is that it lacks teeth. This is a fair comment I think. I don’t have any powers of sanction or inspection. So if a relevant authority is not paying due regard to the code of practice there is not much I can do.” Despite this criticism, in another letter to the minister Porter noted that Penning’s response was “confusing” as he “did not request any powers of enforcement or sanction in the Review.” Porter’s 20-page Review of the impact and operation of the Surveillance Camera Code of Practice was published in February. Penning’s brief letter did not respond to several of the issues raised in Porter’s review. The SCC stated that he was “disappointed that apart from recommendation three, there was no comment on any of the other recommendations.” [The Register]

EU – Commission’s Issues New Action Plan for Privacy Standards

On 19 April 2016 the European Commission published its Communication ‘ICT Standardisation Priorities for the Digital Single Market’. The Communication was part of the wider ‘Digitising European Industry’ announcement on 19 April – read our blog here for full details of what was announced. The ICT Priorities Communication thrusts into the limelight an obscure but vitally important area of policy: the setting of common technical specifications for ICT products and services, particularly those related to the ability of different devices to communicate with each other. According to the Communication, common standards that ensure interoperability between digital technologies are the foundation of an effective Digital Single Market. The Communication identifies numerous challenges faced by the current legal framework through which technical standard setting at a European level takes place. The Commission’s solution to these challenges is the adoption of a priority action plan set out in the Communication that comprises i) the identification of five priority ‘building block’ areas of the ICT sector in relation to which standardisation efforts are to be focused (5G, IoT, Cybersecurity, Cloud and Big Data); and ii) a high level political process to validate, monitor and, where necessary, adapt the list of priority areas. [Hogan Lovells]

EU – Other EU News

Finance

CA – Compromised Bank Cards Lead to Few Answers From Banks

The president of the Consumers’ Association of Canada is calling on banks to become more transparent and release information about what he feels is an increase in the number of compromised bank cards.

“We’ve seen an escalation in the last 12 months of compromised bank accounts, credit cards, debit cards and PINs,” Bruce Cran said. His organization has received “hundreds” of complaints, not only about initial compromises, but repeated compromises on the same account. He said some accounts were compromised as many as four times last year. “The mere volume of what’s happening at the moment indicates to us that there’s a bigger problem here,” he said. “In terms of privacy breaches involving banking institutions, it’s unusual that you would have a number of banks all at the same time formally notifying customers by mail of their card being compromised,” he said. “This is very unusual.” Charney said privacy is not a reason to withhold information from customers. “What it sounds like to me is some kind of excuse in the short term for the banks to continue to investigate and respond to this data breach before they have to publicly announce it,” Charney said. [CBC]

FOI

CA – Saskatchewan Charging Media $180K to Access Land Deal Documents

Attempts by media to obtain documents relating to the controversial Global Transportation Hub (GTH) land deal isn’t coming cheap; the province says it’s going to cost $180,000. A total of 29 Freedom of Information (FOI) requests were filed by the CBC. Fifteen were sent to the GTH and 14 to the Ministry of Highways. According to the province’s estimates the requests could total approximately 9,500 pages.

“In the electronic age it means going back to back-up tapes to get some things. Also, government’s older records are stored off site and we have to get those things in,” Deputy Minister of Justice Kevin Fenwick explained. However, the opposition NDP decried the government’s excuses and is calling it a clear cover-up. “We are talking about a fiasco that ultimately saw a Crown corporation pay alleged Sask. Party insiders three times the estimated value of land close to the Regina highway bypass,” Wotherspoon added. “He needs to scrap this bill and hand over this information.” Meanwhile, a complaint has been filed by the CBC with Saskatchewan’s Information and Privacy Commissioner. [Global News]

CA – Fredericton Secret Meeting Broke the Rules, Privacy Commissioner Says

Everyone who attended a closed-door meeting of Fredericton city council where it approved a letter in support of the Energy East pipeline should have known it was against the Municipalities Act, the province’s privacy watchdog says. Access to Information and Privacy Commissioner Anne Bertrand has been following the controversy after the city sent a letter to the prime minister in support of the pipeline after an in camera meeting on Jan. 26. Thursday, the city issued a statement acknowledging it did not follow the proper process when it sent the letter. Bertrand said, under the act, municipalities are supposed to be open and transparent by default about every decision they make. “They only go to closed sessions when it is necessary, and there are 10 instances that they can do that. So they can’t just decide that anything goes to a closed session,” she said. Bertrand said obvious examples include labour and employment issues, security issues or criminal investigations. [Source]

CA – Fontaine v. Canada Ruling Favours Privacy Of IRS Survivors

In a case that tied questions of aboriginal law with privacy law, the Ontario Court of Appeal decided indigenous Canadians who suffered abuse in residential schools could decide whether their evidence will be archived or destroyed after a mandatory 15-year retention period. Part of the question in Fontaine v. Canada was who gets to decide whether claimants’ testimony, submitted as part of the Indian Residential Schools Settlement Agreement, would be achieved or destroyed. Detailed and often traumatic personal stories of abuse are gathered under the IRSSA’s Independent Assessment Program. The court said the appeals before it raised “the question whether the survivors control the stories of their residential school experiences or whether others do.” In Fontaine, a number of Catholic institutions argued they, too, should consent before the redacted evidence is achieved at the National Centre for Truth and Reconciliation and potentially available for access by future generations. They argued the decision to archive the documents affects the alleged perpetrators and the churches. A lower court judge had found the only consent needed to archive the evidence is that of the claimants themselves. In a decision dated April 4, the court of appeal agreed. [Source]

EU – Google RTBF Requests Report for Europe

Google released a transparency report, presenting figures on European right to be forgotten requests for online searches since the European Court of Justice ruling of May 2014. A total of almost 1.5 million URLs have been evaluated, and of the 422,000 requests for removal, 42.8% were removed; 10 social network sites and search directories account for 8% of all URL removal requests. [Transparency Report: European Privacy Requests for Search Removals – Google]

US – ODNI Publishes 2015 Transparency Report

The Office of the Director of National Intelligence (ODNI) released its third annual transparency report. The report offers statistics about the frequency with which the government employs certain national security authorities, according to a press release. The release follows President Barack Obama’s 2013 direction to the intelligence community that it both declassify and make public data on U.S. surveillance activities to the extent that it was possible while still protecting national security data. Further, the USA FREEDOM Act of 2015 codified the statistics published in the DNI’s annual reports. The release covers “information concerning United States person search terms and queries of certain unminimized, [Foreign Intelligence Surveillance Act]-acquired information,” in addition to unique identifiers from FISA orders. [Source]

US – FBI Customer Record Requests Up 50% in 2015

A U.S. government transparency report revealed FBI requests for customer records were up 50 percent in 2015. The FBI sent 48,642 National Security Letters to Internet and telecommunications companies last year, up from the 33,024 letters in 2014. An NSL is sent by the FBI requesting information on an individual, including phone numbers, emails, IP addresses and other information. The report also states that 31,863 of the requests were made on foreigners, attributed to law enforcement efforts to track terrorist groups such as the Islamic State. In related news, U.S. District Judge Yvonne Rogers has stopped Twitter’s attempt to release more information on surveillance orders it receives from the government. “The First Amendment does not permit a person subject to secrecy obligations to disclose classified national security information,” Rogers wrote. Twitter will have the chance to re-file its case. [FSource ]

Genetics

CA – NS Suspends “Unreliable” Hair Testing for Child Protection Cases

Nova Scotia has become the fourth known province to suspend or ban the use of drug and alcohol hair testing in child protection proceedings, after New Brunswick, British Columbia and Ontario. The move comes in the wake of a 2014 Star investigation into the Hospital for Sick Children’s Motherisk laboratory, which found that prior to 2010, the lab was using a hair test that was not recognized as the “gold standard.” An independent review deemed the hair test results “inadequate and unreliable” in 2015. They were used in potentially thousands of child protection cases in Ontario as well as in British Columbia, Quebec, Nova Scotia and New Brunswick, where they were routinely accepted as evidence with little scrutiny in court. Questions have been raised for years about hair strand testing, regardless of the laboratory performing the service. Because of the effect of alcohol-based hair products, “the risk for false-positive results appears high when monitoring a female population,” Motherisk’s own manager at the time, Joey Gareri, wrote in a 2011 paper he co-authored with Motherisk founder and director Gideon Koren. Studies have also suggested that drugs appear to be incorporated more readily into darker-coloured hair, and there is also evidence that the way substances are incorporated into the hair of a single individual may vary from strand to strand. Motherisk ceased its hair testing practices in 2015 prior to the completion of the independent review, but some provinces were still using hair tests from other labs in some cases until very recently. [Source]

Health / Medical

CA – Massive Health Information Overhaul Coming to Alberta

Patients tired of retelling medical histories, physicians frustrated with a cumbersome record system too reliant on paper, and administrators struggling to cut costs hope to benefit from a massive health information overhaul in Alberta. The government has vowed to invest $400 million over the next five years to begin replacing most of the 1,300 unconnected technology platforms currently in use within Alberta Health Services. The new, single clinical information system will be deployed across the province after an initial rollout in Edmonton facilities, where an antiquated, 30-year-old technology has been a festering headache. Dr. Robert Hayward, chief medical information officer for AHS, described a clinical information system as a giant integrated data hub that serves every aspect of the health system a patient might touch, from drug prescriptions and diagnostic tests to rehab clinics and home care. He said the best systems not only offer information for individual users, but can also manage broad, systemwide data on admissions and discharges, and the management of beds and supplies. For patients, Hayward said one of the biggest benefits will be the ability to have a single medical record that can be accessed by health providers at any point in the system. Currently, patients are often forced to repeatedly explain their health stories to different professionals, rather than having a seamless experience in which everyone is working from the same information. The system is also expected to have a portal for patients to access their own information. For health professionals, the arrival of the system should modernize processes that are often described as excessively time consuming and prone to error. Hayward said $400 million will “kick-start” the project by allowing AHS to issue a request for proposals. It’s expected the successful company will need a couple of years to install the new technology platform across the Edmonton zone, which is behind Calgary and plagued with a system at risk of failure. Then, over the next 10 years, the idea is to extend the system all over the province so that every provider can use it, including small doctors’ offices. Hayward said cost savings from the first rollout of the technology will be used to fund the later stages. [Edmonton Journal]

CA – Settlement Reached in Lawsuit After Edmonton Medicentre Laptop Theft

A settlement has been reached in a class-action lawsuit filed after a laptop containing the personal health information of 620,000 Albertans went missing. The settlement totals $725,000 to resolve credit damage, mental distress, increased risk of future identity theft and time and costs associated with preventing identity theft. The lawsuit originally sought $11 million. It was filed in 2014 against Medicentres Canada Inc., AbleIT Inc. and third-party individuals after an unencrypted laptop of an IT consultant for Medicentres was stolen from an Edmonton medical clinic in September 2013. The computer contained the names, birth dates, Alberta Health Care numbers and Alberta Health diagnostic codes of people who attended a Medicentre clinic in Edmonton or Calgary between May 2, 2011, and Sept. 19, 2013. People who were affected by the records loss can register with the law firms. There are different categories of claimants, including those who suffered mental stress and sought medical attention; those who can show that their identities had been stolen as a result; and those concerned about identity theft. [Source]

UK – NHS to Share 1.6 Million Health Records with Google AI Company

Google’s artificial intelligence company DeepMind has struck a deal with the UK’s NHS to access healthcare data of 1.6 million people. The agreement allows DeepMind access to current and historical data for patients at three London hospitals to develop an app to help monitor patients with kidney disease. The access granted in the agreement covers all health data, not just kidney disease data. [New Scientist] [The Register] [SCMagazine] [v3.co.uk] See also: [Google company’s access to NHS records raises privacy concerns]

WW – Why Cybercriminals Attack Healthcare More Than Any Other Industry

Cybercriminals attacked the healthcare industry at a higher rate than any other sector in 2015, and more than 100 million healthcare records were compromised last year, according to a new report published by IBM. In fact, 2015 was “the year of the healthcare breach,” IBM said in its 2016 Cyber Security Intelligence Index. The rate of attacks against the healthcare sector climbed to the highest level of all industries studied in 2015, after not making the top five in 2014, as healthcare leaped ahead of the manufacturing, financial services, government and transportation industries. Data breaches in the healthcare sector are also getting larger – with five of the eight largest health data breaches reported since 2010 (those with more than 1 million records compromised) occurring in the first six months of 2015, IBM’s report said. And the cost of data breaches is going up, particularly in healthcare, according IBM’s 2015 Cost of a Data Breach study. While the average cost of a data breach across all industries was $3.8 million in 2014 – up 23% from 2013 – the cost per record in the healthcare sector was $363 per record breached, more than twice the overall average of $154 per record. [Source]

Horror Stories

WW – Massive Breaches at Major Email Services, 272.3 Million Affected

Hundreds of millions of hacked user names and passwords for email accounts and other websites are being traded in Russia’s criminal underworld. The discovery of 272.3 million stolen accounts included a majority of users of Mail.ru Russia’s most popular email service, and smaller fractions of Google Yahoo and Microsoft email users, said Alex Holden, founder and chief information security officer of Hold Security. It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago. [Reuters]

WW – Notable Privacy Breaches

Intellectual Property

US – Self-regulatory Group Takes Action Against Three App Developers

Three popular app publishers have changed their privacy practices after the enforcement arm of the Better Business Bureau found they were out of compliance with accepted self-regulatory standards. The makers of Spinrilla, Top Free Games and Bearbit Studios were found to be out of compliance with the Digital Advertising Alliance’s Self-Regulatory Principles. [Full Story]

Internet / WWW

WW – Google for Work & Google Cloud Get New Security/Privacy Certs

In what is clearly part of the company’s efforts to get more enterprise customers on its platforms, Google announced that it has renewed its ISO 27001 certification for the fourth year in a row and upped its product coverage from 34 to 59 products. In addition, Google Apps for Work and the Google Cloud Platform have now also been certified for ISO 27017 for cloud security and ISO 27018 for privacy. Google already said it would adopt ISO 27018 for Google Apps for Work last year. ISO 27017 basically certifies that Google’s virtual networks are as secure as its physical networks, that data is protected and inaccessible to other customers on the same platform and that it’s clear which security responsibilities fall on Google and which are the customer’s. ISO 27018 mostly covers privacy controls. It certifies that Google doesn’t use its customers’ data on the covered platforms for advertising, for example, and that the customers’ data remains theirs. It also certifies that Google lets you delete and export your data and is transparent about where the data is stored. Because enterprises do look for these certifications when they decide on a cloud provider, it’s no surprise that Amazon’s AWS and Microsoft’s Azure also offer similar compliance assurances. AWS already offers the same ISO 27001, 27017 and 27018 certifications as Google, for example. Azure, too, is ISO 27001- and 27018-compliant. [Source]

Law Enforcement

US – Maryland Cops deploy StingRay Tech Against Chicken-Wing Thief

Police in Maryland, US, used controversial cellphone-tracking technology intended only for the most serious crimes to track down a man who stole $50 of chicken wings. Police in Annapolis used a StingRay cell tower simulator in an effort to find the location of a man who had earlier robbed a Pizza Boli employee of 15 chicken wings and three sandwiches. Total worth: $56.77. In that case, according to the police log, a court order was sought and received but in many other cases across the US., the technology is being used with minimal oversight, despite the fact it is only supposed to be used in the most serious cases such as terrorism. Annapolis police never found the thief but he represented just one of 17 occasions on which the city of 40,000 people used the device in 2011. Its use is far more prevalent in larger cities. The Philip Merrill College of Journalism’s Capital News Service found that Maryland State police has used a StingRay at least 125 times since 2012. Howard Country, which lies to the south of Baltimore and with a population of 300,000, has used a StingRay 129 times since 2011. The police in Baltimore City have used its StingRay an extraordinary 4,300 times since 2007, sparking an investigation and review of 2,000 of them. New York City has used its StingRay more than 1,000 times since 2008. [The Register]

Location

US – Westin Centre Issues New Geolocation Practice Guide

Geolocation is used for purposes ranging from emergency services to targeted advertising to fraud prevention. For consumers, the use of geolocation has obvious benefits — though concerns over how this data is collected, accessed and used, and by whom, has been a consistent topic of debate. Regulators from across the globe have weighed in with guidance and legislation, industry groups have issued codes of conduct and even the U.S. Supreme Court has offered an opinion. This IAPP Westin Center Practice Guide offers a quick way to get up to speed on geolocation and the issues surrounding it. [Full Story]

EU – Healthcare Apps and Wearables Create High Risks for Users: German DPAs

During their last Data Protection Conference, the German data protection authorities (DPAs) agreed on a resolution on data protection principles that providers of healthcare apps and wearables should consider. According to the resolution, almost a third of the German population 14 years or older uses wearables (body-worn devices that record an individual’s health data) and healthcare apps (mobile device software offering health-related services). The DPAs claim that these devices and apps collect personal health data, which is subsequently transmitted to manufacturers, internet providers, and other third parties. In general, under German law, a company may collect, process, and use personal health data only if specifically authorized by law, such as the German Federal Data Protection Act (FDPA), or if the data subject has consented. The resolution clarifies how these requirements apply to wearables and apps:

  • Manufacturers of wearables and healthcare apps should use data privacy-friendly technologies and default settings (e.g., privacy by design), and should adhere to the principles of data reduction and data minimization, as well as anonymization/pseudonymization.
  • A data subject’s consent regarding the collection, processing, and use of personal health data should be transparent, particularly regarding a transfer to third parties.
  • In the context of employment and insurance, any consent to use of personal health data likely is invalid, based on concerns regarding significant negotiating imbalances between the parties. Consistent with the German DPA’s view, the Dutch DPA recently stated that an employee’s consent to the use of wearables to be not valid due to the financial dependence of the employee.
  • Legal requirements for data security cannot be waived contractually or via consent.
  • In the case that multiple parties are involved in the creation or distribution of wearables and healthcare apps, those parties have a joint responsibility for the wearables and apps, including issues such as meeting quality standards, ensuring IT security, functionality, and the transparency of data usage. However, the resolution does not explain how joint responsibility should operate in practice. [Source]

Online Privacy

US – Supreme Court Gives FBI More Hacking Power

The Supreme Court this wseek approved changes that would make it easier for the FBI to hack into computers, many of them belonging to victims of cybercrime. The changes will take immediate affect in December, unless Congress adopts competing legislation. Previously, under the federal rules on criminal procedures, a magistrate judge couldn’t approve a warrant request to search a computer remotely if the investigator didn’t know where the computer was—because it might be outside his or her jurisdiction. The rule change, sent in a letter to Congress on Thursday, would allow a magistrate judge to issue a warrant to search or seize an electronic device if the target is using anonymity software like Tor. Over a million people use Tor to browse popular websites like Facebook every month for perfectly legitimate reasons, in addition to criminals who use it to hide their locations. The changes, which would allow the FBI go hunting for anyone browsing the Internet anonymously in the U.S. with a single warrant, are already raising concerns among privacy advocates who have been closely following the issue. [The Intercept]

Privacy (US)

US – SCOTUS Approves Rule 41 Update, Privacy Advocates Outraged

The Supreme Court approved an update to Rule 41 this week, effectively expanding judges’ abilities to issue warrants for access to computers outside of their jurisdictions. The move has drawn criticism from Sen. Ron Wyden, D-Ore., and several privacy advocates. Last month, Wyden warned of the potential change and vowed to stop it. Congress has until Dec. 1 to either amend or deny the update. “Under the proposed rules, the government would now be able to obtain a single warrant to access and search thousands or millions of computers at once; and the vast majority of the affected computers would belong to the victims, not the perpetrators, of a cybercrime,” said Wyden. Open Technology Institute’s Kevin Bankston said the “obscure rule change” authorized “a whole lot more” government hacking. [Morning Consult] See also: [A retail industry group is railing against a bill that would require companies to notify customers following a breach and set nationwide data security standards similar to those in the financial sector] and [A House Committee on Education and the Workforce hearing to evaluate the 1974 Family Educational Rights and Privacy Act and how Congress should update it.]

Security

WW – SS7 Network Leaves Major Hole in Cellphone Security

Signaling System No. 7 network’s vulnerabilities have caused major problems for smartphone security. SS7 is a set of technical rules for how data gets exchanged in cellular networks, mainly involving computing cellular billings, texts, and assisting when users are roaming. The vulnerability in the network was revealed last week during a “60 Minutes” episode in which researchers demonstrated how they could hack into Rep. Ted Lieu’s, D-Calif., smartphone. Lieu has since called for a congressional hearing on SS7, and the Federal Communications Commission has said it will examine the issue as well. [Wired]

WW – Latest Security Study Worry: How Many Times Will You Be Breached?

The threat level of cyber attacks on virtually every organization continues to increase, with more than half of companies reporting the loss of customer data due to DDoS attacks, and three-quarters of organizations suffering a breach in 2015. Those are among the findings of the latest research from Neustar, Inc., from its third global DDoS Attacks and Protection Report titled The Threatscape Widens: DDoS Aggression and the Evolution of IoT Risks. The research results show that although revenue loss caused by a DDoS related outage is usually the main concern of targeted organizations, 57% of all breaches involved some sort of theft including intellectual property and customer data as well as financial information. “More troubling, following the initial breach, 45% of organizations reported the installation of a virus or malware – a sign that attackers are interested in causing ongoing harm,” the report explains. The research highlights that although DDoS attack tactics continue to evolve from single large attacks intended to take a website offline to the multi-vector attacks we are seeing today, organizations are fighting back. The research revealed that 76% of companies are investing more in DDoS protection than in 2014, and 47% of the attacked organizations are participating in security consortiums to share information on threats and counter measures. [Source] [Neustar Press Release]

Smart Cars / Internet of Things

WW – Samsung SmartThings Vulnerabilities

Researchers from the University of Michigan have published an “in-depth empirical security analysis” of the Samsung’s SmartThings smart home platform, a program that allows people to use SmartApps to control all sorts of Internet-connected devices in their home from their smartphone. The researchers found they could trigger false smoke alarms and plant code in digital locks that would allow them access to the house. They noted that the SmartApps are capable of gaining privileges they do not need, and that the SmartThings event subsystem offers inadequate protection of events that transmit sensitive data. [The Register] [Wired] [CNET] [Ars Technica] [Security Analysis of Emerging Smart Home Applications]

SG – Singapore Ramping Up Smart City Efforts

Singapore is planning to create the most elaborate and comprehensive smart city in the world. The country plans on placing an undetermined amount of cameras and sensors around the city, permitting the government to check everything from crowd numbers to the movement of vehicles. While the smart city’s capabilities won’t be fully realized until after it is implemented, some early uses could include monitoring events such as the spread of infectious diseases. The government is working on finding the best way to ensure citizens’ privacy won’t be violated, according to the report. While public meetings haven’t been held on protecting citizens’ privacy, the government insists collected data will be anonymized as much as possible. [The Wall Street Journal]

US – Proposed Michigan Bills Would Have Car Hackers Face Life in Prison

State legislators in Michigan have introduced two bills that would impose a life prison sentence for anyone who maliciously accesses automobile computer systems. One of the bills reads, in part, “a person shall not intentionally access or cause access to be made to an electronic system of a motor vehicle to willfully destroy, damage, impair, alter, or gain unauthorized control of the motor vehicle.” [ComputerWorld] [The Register] [CNET]

CA – Lawyers Ask SCOC to Consider “Black Box” Privacy

Two Kamloops lawyers are making a bid to overturn a B.C. Court of Appeal decision that found drivers have no expectation of privacy relating to data in their vehicle’s black box. 54-year-old Wayne Fedan of Kamloops was convicted in September 2014 of dangerous driving causing death in connection to a crash four years earlier. He was sentenced to three years in prison and handed a three-year driving ban to begin following his sentence. The sentencing judge found data contained in the black box of Fedan’s pickup truck showed his foot was on the accelerator as he rounded a corner at more than twice the posted speed limit. Lawyers Micah Rankin and Anthony Varesi have filed an argument with the Supreme Court of Canada. The court has yet to decide whether it will hear the appeal. The March 20, 2010, crash on Mackenzie Avenue, at the turn in front of the entrance to McArthur Island, killed 20-year-old Brittany Plotnikoff and 38-year-old Kenneth Craigdaillie. All three were at a party together and Fedan was driving them home. Both the B.C. Supreme Court and B.C. Court of Appeal rejected arguments that police required a search warrant before accessing data in the vehicle’s black box (known as the sensing diagnostic module, or SDM). Rankin and Varesi’s argue Canada’s highest court should consider the appeal based on what they call “an issue of national importance,” including four factors:

  • Changes in technology mean automobiles have become “repositories of potentially vast amounts of personal information about drivers” — information that should have protection of privacy rights.
  • The decision sets a precedent for seizure without a search warrant.
  • The decision is at odds with rulings in senior Ontario courts, which found drivers have an expectation of privacy in material contained in the black box.
  • The appeal asks whether the Canadian Charter of Rights and Freedoms limits police from accessing data from devices in automobiles. [Source]

Surveillance

US – Schumer Wants FTC to Investigate Billboard Tracking

Saying it raises “serious questions about privacy,” Sen. Chuck Schumer, D-N.Y., has called on the Federal Trade Commission to investigate Clear Channel Outdoor, a company that manufactures billboard-tracking technology. The RADAR technology uses mobile phone data to collect information for advertising. “Your personal cellphone should not become a James Bond-like gadget that’s used against you by some company,” adding, “You should have to give them permission to follow you when you drive or walk by a billboard.” Earlier this year, Sen. Al Franken, D-Minn., wrote a letter to the company with his privacy concerns. “RADAR uses only aggregated and anonymized information from privacy-compliant third-party data providers who have verified that they adhere to consumer-friendly business practices,” said Clear Channel Outdoor spokesman Jason King. [Full Story]

UK – Civil Rights Group Releases Video Satirizing Investigatory Powers Bill

Liberty, a civil rights campaign charity, released a video lampooning the potential surveillance powers the British government could possess if the Investigatory Powers Bill is passed. In “Show Me Yours,” comedian Olivia Lee approaches random citizens, browbeating them into showing personal information on their phones. Lee is met by a series of irritated individuals, highlighting Liberty’s opposition to the bill Home Secretary Theresa May is looking to pass and how citizens don’t want third parties looking at their information. “As our film shows, people naturally recoil when a stranger asks to see their phone — there’s a reason we use encrypted services and protect our phones and computers with passwords and codes,” said Larry Holmes, Liberty’s digital and campaigns coordinator. [The Huffington Post]

Telecom / TV

UK – 72% Orgs Support BYOD Despite Privacy/Security Concerns: Survey

According to the results of a new survey, 72% of organisations across the financial services, technology, healthcare, government and education sectors support BYOD for all or some employees. However, only 14% have successfully deployed Mobile Application Management (MAM) solutions, creating issues in areas such as controlling access to corporate data and enforcing device encryption. In most of the industries surveyed, employee satisfaction was seen as a key benefit of enabling BYOD, with government being the only exception where it was valued by less than half (44%) of respondents. In contrast, privacy was cited as the biggest inhibitor to BYOD adoption in 52% of SMBs, with large organisations being more concerned with security. Data leakage was one of the top concerns across all sectors, including 81% of financial services, 90% of healthcare and 79% of education organisations. Despite this concern, device encryption was supported in only 36% of educational institutions, 56% of financial services organizations and 57% of healthcare organizations. The full report, entitled ‘How Forward-Looking Industries Secure BYOD,’ surveyed more than 800 cyber security professionals and can be found here. [Source]

US Government Programs

US – FBI Use of National Security Letters Up by 50% in 2015

FBI requests for customer records under a secretive surveillance order increased by nearly 50 percent in 2015, according to a U.S. government transparency report published this week. Internet and telecommunications companies in 2015 received 48,642 requests, up from 33,024 reported in 2014, for data via so-called National Security Letters (NSLs). The NSL is a tool used by the FBI to gather phone numbers, email and IP addresses, web browsing histories and other information. An NSL does not require a warrant and is usually accompanied by a gag order. The amount of actual written orders issued decreased in 2015, however, from 16,348 to 12,870. One NSL often contains multiple requests for information, such as a series of email addresses believed relevant to an investigation, where each address counts as one request. The year-to-year statistics may not be entirely precise due to changes in reporting requirements ushered in last year under a surveillance reform law passed by Congress, sources familiar with the process said, but they indicate general trends. The majority of NSL requests, 31,863, made in 2015 sought information on foreigners, regarding a total of 2,053 individuals, according to a Justice Department memo sent to Congress, while the amount of requests on U.S. persons declined. A U.S. government source said the rise in NSL requests is in part attributable to efforts by militant groups such as Islamic State to use multiple accounts across several different communications platforms. [Reuters]

US – White House to Commence Artificial Intelligence Workshops

In an official White House blog post, Deputy U.S. Chief Technology Officer Ed Felten announced a new series of public workshops designed to better understand the potential benefits and concerns about artificial intelligence. Felten notes that “a series of breakthroughs in the research community and industry have recently spurred momentum and investment” in the AI field. With a potential to transform health care, education and transportation, AI will also bring with it risks, including privacy and security risks. As a result, the White House Office of Science and Technology Policy will co-host four workshops in the coming months. Cities include Seattle, Washington, Pittsburgh and New York City. The workshops will then “feed into the development of a public report later this year,” Felten wrote. [Full Story]

US Legislation

US – House Passes Bill Aimed at Closing ECPA Loophole

The US House of Representatives has unanimously passed the Email Privacy Act, which would amend an outdated law to protect the privacy of digital communications. The wording of 1986’s Electronic Communications Privacy Act (ECPA) was being interpreted to allow law enforcement to demand email and other electronic communications without a warrant. The Email Privacy Act would require authorities to obtain warrants to access the information. [The Hill] [Ars Technica] [ComputerWorld] ee also: The House Energy and Commerce Committee passed a bill levying heavy punishments for individuals committing the prank known as “swatting“ — a form of online trolling.

US – Colorado Student Data Privacy Bill Gets Unanimous Senate Approval

The 2016 legislative session’s biggest education policy bill — a measure intended to protect the privacy and security of student educational data — passed the Senate 35-0 this week. The vote continued the unbroken string of success for House Bill 16-1423, which has passed unanimously on every committee and floor roll call since it was introduced. That’s a pattern usually seen only with the most minor, technical bills. The measure’s original text also has survived almost entirely intact. The main elements of the bill include a detailed definition of personally identifiable information that must be protected, restrictions on software companies and other vendors, and additional transparency and disclosure requirements for the Colorado Department of Education and school districts. The bill also sets some district controls over classroom apps and software used by teachers. The bill returns to the House for consideration of non-controversial amendments, approval of which will be a formality. [Source]

US – Other US Legislative Developments

+++

 

 

Advertisements
Post a comment or leave a trackback: Trackback URL.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: